Mac QuickTime exploit emerges

Hackers now have sample attack code for the newest QuickTime vulnerability that can hijack Macs, including machines running the latest flavour of Mac OS X, Leopard, security researchers warned Thursday.

The news came just days after a bug in QuickTime's handling of the Real Time Streaming Protocol (RTSP), a audio/video-streaming standard, was disclosed on the milw0rm.com website. Proof-of-concept exploit code that worked against Windows XP SP2 and Windows Vista followed shortly after.

But even though analysts confirmed on Monday that Mac OS X versions of QuickTime 7.2 and later are also vulnerable, it took several more days for other researchers to craft a reliable exploit.

On Thursday, Symantec warned its DeepSight customers that a Metasploit exploit module had been released. "This particular exploit can cause remote code execution through the QuickTime RTSP protocol vulnerability on Microsoft Windows and Apple systems," Symantec said in the alert note. "This is the first working exploit for Apple systems that we have observed."

Metasploit, an exploit testing framework created by noted security researcher and hacker HD Moore, has been dubbed a tripwire of sorts by Symantec in the past. "Once we see something in Metasploit, we know it's likely we'll see it used in attacks," Alfred Huger, vice president of engineering with Symantec's security response group, said in July.

According to the proof-of-concept, the Metasploit module works on Intel- and PowerPC-based Macs running either Mac OS X 10.4 (Tiger) or 10.5 (Leopard). It also executes on PCs running Windows XP SP2.

Symantec urged users to disable Apple QuickTime as an RTSP protocol handler and filter outbound traffic over the most common (but not the only available) posts used by RTSP, which include TCP port 554 and UDP ports 6970-6999.

Apple has not yet issued a fix for QuickTime RTSP bug, but when it does, the update will be the media player's seventh security-related fix this year.

The company has not responded to multiple e-mails requesting comment on the vulnerability.